Hustler Words – A security researcher, Eaton Zveare of Harness, recently uncovered critical vulnerabilities in a major, unnamed automaker’s online dealership portal. These flaws allowed Zveare to gain "unfettered access" to the system, potentially enabling malicious actors to remotely unlock vehicles, access sensitive customer data, and even track vehicle locations. The revelation, presented at Def Con, highlights significant security risks within dealership management systems.
Zveare’s discovery, initially a weekend project, exploited weaknesses in the portal’s login system. He bypassed authentication entirely, creating a "national admin" account that provided access to the data of over 1,000 dealerships across the United States. This access granted him visibility into customer personal information, financial details, and vehicle data. He demonstrated the ability to identify vehicle owners using only a VIN or a customer’s name, and even remotely paired a friend’s vehicle with a new account, effectively unlocking it. While he didn’t attempt to steal a vehicle, the potential for theft and other malicious activities is clear.
The vulnerability stemmed from insecure code loaded in the user’s browser during login. This allowed manipulation to bypass security checks. Zveare emphasizes that the automaker found no evidence of prior exploitation, suggesting his report was the first. The researcher also highlighted the interconnected nature of the dealer systems, facilitated by single sign-on. This allowed him to access multiple systems through his compromised account and even impersonate other users. This "impersonation" feature, similar to one found in a Toyota system in 2023, represents a significant security risk.
Related Post
The automaker reportedly patched the vulnerabilities within a week of Zveare’s disclosure in February 2025. However, the incident underscores the critical need for robust security measures in dealership portals, which often hold highly sensitive customer and vehicle information. Zveare’s findings serve as a stark reminder of the potential consequences of inadequate authentication and the cascading effects of seemingly minor API vulnerabilities. The ease with which he gained access highlights the urgent need for the automotive industry to strengthen its cybersecurity defenses.
Leave a Comment